President Obama’s pick to take over the National Security Agency, Vice Admiral Michael Rogers, told Congress that he has no serious reform agenda for the agency except for in one area: public relations. The NSA’s main problem, Rogers said in his Senate confirmation hearing on Tuesday, is not the controversial stockpiling of personal data, nor the tactic of subverting encryption standards, but that the agency didn’t effectively communicate its reasons for doing so.

Rogers’ confirmation hearing for his parallel role as the military’s U.S. Cyber Command commander – the NSA post does not require Senate approval – provided a rare opportunity for lawmakers and the public to hear his opinion on privacy, which has been relatively unknown.

“I believe one of the takeaways form the situation over the last few months is that as an intelligence professional…I have to be capable of communicating in a way that highlights what we are doing and why to the greatest extent possible,” Rogers said to the Senate Armed Services Committee.

Rogers spoke only briefly on the NSA’s controversial practice of collecting bulk metadata on individuals. The Privacy and Civil Liberties Oversight Board, an independent review panel, recently found that the way the NSA was collecting metadata did not comply with Patriot Act requirements and was illegal. That suggests changes are coming in the way that the agency either stores or uses metadata; but the form those changes will take has yet to be determined.

Subscribe

Receive daily email updates:

Subscribe to the Defense One daily.

Be the first to receive updates.

Metadata refers to data about data. In addition to Internet data, it includes phone company records about who called who or whom, at what time, and the duration of the call but doesn’t include the literal content of the conversation. In June, after former NSA contractor Edward Snowden’s disclosures, Obama defended the metadata collection practice, saying, “No one is listening to your phone calls.”

Yet consumer metadata can reveal plenty. The conversation patterns between two individuals on Facebook can predict the likelihood they will end up in a relationship. Email and communication patterns in an office setting can predict possible quitting. In business, knowing who is calling whom and when can also yield an unfair market advantage, according to experts.

“Suppose the head of Oracle calls the head of a company that Oracle is looking to acquire on a Friday. And after the phone call, both CEOs call their general counsel. That information says that a buyout is going to happen,” computer scientist Susan Landau said at a SXSW privacy panel in Austin, Texas, this week, where Snowden spoke to conferees and the NSA controversy was a hot topic.

Rogers, who currently commands the Navy’s 10th Fleet and U.S. Fleet Cyber Command, said that he supported the president’s January policy directive that proposes a review of the bulk metadata collection process in order to find ways the U.S. can more easily collect more specific data, but doesn’t call for the end of the practice. “Within one year… the [Director of National Intelligence], in coordination with the heads of relevant elements of the [intelligence community] and [Office of Science and Technology Policy], shall provide me with a report assessing the feasibility of creating software that would allow the [intelligence community] more easily to conduct targeted information acquisition rather than bulk collection.”

When asked by Sen. Ted Cruz, R-Tex., if the U.S. should continue the practice of using consumer metadata, Rogers said, “I believe we can still do this in a way that ensures the protection of our citizens while also providing us insights that generate value.”

The research firm IDC says we are likely to generate as much as 50 times as much data in the year 2020 as we do today, already on the order of 1.8 million megabytes a year. This data won’t just be limited to how we talk or stream entertainment, our primary data generating activities today, but also how we interact with the increasingly computerized world around us. Future metadata could include information on how often we use smart appliances like Internet-connected refrigerators, when we activate smart thermostats, even the functioning of Wi-Fi enabled pacemakers. All of the digital exchanges that interconnected machines create when trying to provide us with services falls under the broad category of metadata.

Obama’s January directive opens up the possibility of third parties such as telephone companies and Internet service providers maintaining metadata stockpiles, rather than the government holding all that data at not-so-secret facilities. These third parties would then give the government access to portions of that data on the basis of specific requests.

Carriers like AT&T already hold and use customer data for marketing. But relying on phone companies to maintain customer data for possible future government investigations isn’t a popular idea among technologists. Landau called the scheme “a security nightmare.” She says that although AT&T “has kept that data for decades…these days, that data is much less secure.”

Privacy advocates continue to dismiss the president’s reform efforts as lackluster. rejecting the notion of a single presidential policy directive as an effective accountability measure. “The problem with presidential directives is that the president can issue a second directive,” Cato scholar Julian Sanchez said at SXSW on Saturday.

Bulk data collection is only one of the many controversial NSA activities that the Snowden leaks have revealed. Another is the federal government’s bypassing of the encrypted security features of services like Google and Yahoo to intercept data, part of the agency’s so-called MUSCLAR Program. Ironically, NSA infiltration of services like Yahoo, and Snowden’s disclosure of those vulnerabilities, have prompted Silicon Valley players to improve their encrypted firewalls.

“The advancements in crypto over the last six months have been massive,” said Matthew Prince, CEO of the company CloudFlare at a SXSW panel.

For many in the privacy and the technology community, The MUSCLAR program represents a particularly stinging insult. One aspect of the program involved the systematic weakening of encryption standards so that the NSA could break into more networks and systems via backdoors.

“This points to a serious internal mission/goals conflict. After all, the [United States Government] is supposed to be for cybersecurity. U.S. policy regularly calls on everyone to do a better job of securing devices and networks. And yet the NSA actually weakens crypto and exploits vulnerabilities when it could be trying to get everyone to fix them,” Electronic Frontier Foundation senior staff attorney Lee Tien told Defense One..

In his confirmation hearing, Rogers mentioned Snowden by name only twice to demure further comment about him. The admiral did argue that the Snowden’s disclosures had harmed the agency, its mission and national security.

Snowden meanwhile, has been more actively participating in public events. He remotely attended SXSW on Monday to great fanfare. Of perhaps greater concern for U.S. lawmakers, Snowden also recently appeared before the European Parliament to offer public testimony on NSA surveillance of European targets and other sensitive activities. Snowden discussed the MUSCULAR program, though did not mention it by name, stating that “the intentional weakening of the common security standards upon which we all rely is an action taken against the public good.” He also discussed his reasons for making his disclosures and argued for more oversight of the agency.

“Better oversight could have prevented the mistakes that brought us to this point, as could an understanding that defense is always more important than offense when it comes to matters of national intelligence.”

Rogers gave no indication in his testimony that he’s interested in additional congressional oversight.

Patrick Tucker is technology editor for Defense One. He’s also the author of The Naked Future: What Happens in a World That Anticipates Your Every Move? (Current, 2014). Previously, Tucker was deputy editor for The Futurist for nine years. Tucker has written about emerging technology in Slate, The ...
Full bio

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Defenseone.com does not monitor comments posted to this site (and
has no obligation to), it reserves the right to delete, edit, or move any material that it deems
to be in violation of this rule.

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

Federal IT Applications: Assessing Government's Core Drivers

In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and
effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.